I've recently replaced my old gateway/firewall box with a net4501
and m0n0wall. Its setup with LAN using the default private IP space
(192.168.1.0) and my wireless card/interface is bridged to the LAN.
I also have a small static IP network (/29) and set that up on the
DMZ (opt1). After figuring out that I had to disable NAT (checking
Enable advanced outbound NAT), and add a few firewall rules I got
the DMZ server traffic in/out working and after adding back in an
outbound NAT rule for the 192.168.1.0 network LAN traffic works from
both wired/wireless clients.
The problem I've run into though is from the DMZ servers (one of which
is my workstation) I was seeing lots of problems, web sites, mail
servers, etc. I couldn't access anymore. Lowering the MTU to 1492
on all the DMZ servers eliminates the problem but I must be missing
something as I don't think that should be necessary. The old firewall
(FreeBSD/ipfilter) using the standard userland PPPoE setup, the MTU,
mssclamping thing was all done automagically, I've never used 'mpd' or
NAT before so I'm new to both, I found an old message from Manuel in
the archives:
>What? Tell you what - I have ADSL with PPPoE, too, so I had my fair share
>of MTU problems when I started using FreeBSD/ipfilter instead of a ZyXEL
>router. If you use PPPoE on m0n0wall's WAN interface, it will
>automatically add a "mssclamp 1452" statement to each NAT rule, so the MSS
>clamping that all commercial ADSL routers with PPPoE do should be in
>effect
Apparently since I have a NAT rule for the LAN I have no MTU related
problems with it, but since I don't have any rules for the DMZ no
mssclamping is being done on the DMZ traffic (just LAN traffic).
Seems to me somehow all this should be transparent, automagical,
without the need to manually set the MTU on individual machines, etc.
what am I missing or how do I need to configure m0n0wall to do this?
--
I hate sex on the TV....I keep falling off!!
Mike Hall,
Unix Admin - Rock Island Communications <mikeh at rockisland dot com>
System Admin - riverside.org <mhall at riverside dot org>